PPTX
advertisement
OAuth-as-a-service
using ASP.NET Web API and Windows Azure Access Control
Maarten Balliauw
@maartenballiauw
Who am I?
Maarten Balliauw
Technical Evangelist, JetBrains
AZUG
Focus on web
ASP.NET MVC, Windows Azure, SignalR, ...
MVP Windows Azure & ASPInsider
http://blog.maartenballiauw.be
@maartenballiauw
Shameless self promotion: Pro NuGet http://amzn.to/pronuget
Agenda
Why would I need an API?
API characteristics
ASP.NET MVC Web API
Windows Azure ACS
Why would I need an
API?
Consuming the web
2000-2008: Desktop browser
2008-2012: Mobile browser
2008-2012: iPhone and Android apps
2010-2014: Tablets, tablets, tablets
2014-2016: Your fridge (Internet of Things)
Twitter & Facebook
By show of hands
Make everyone API
(as the French say)
Expose services to 3rd parties
Valuable
Flexible
Managed
Supported
Have a plan
API Characteristics
What is an API?
Software-to-Software interface
Contract between software and developers
Functionalities, constraints (technical / legal) Programming instructions and
standards
Open services to other software developers (public or private)
Flavours
Transport
HTTP
Sockets
Message contract
SOAP
XML
Binary
JSON
HTML
…
Technical
Most API’s use HTTP and REST extensively
Addressing
HTTP Verbs
Media types
HTTP status codes
Hypermedia (*)
The Web is an API
Demo
HTTP Verbs
GET – return data
HEAD – check if the data exists
POST – create or update data
PUT – put data
MERGE – merge values with existing data
DELETE – delete data
Status codes
200 OK – Everything is OK, your expected data is in the response.
401 Unauthorized – You either have to log in or you are not allowed to access
the resource.
404 Not Found – The resource could not be found.
500 Internal Server Error – The server failed processing your request.
…
Hypermedia in action!
Remember the RFC!
Think RFC2324!
demo
Be detailed!
ASP.NET Web API
ASP.NET Web API
Part of ASP.NET MVC 4
Framework to build HTTP Services (REST)
Solid features
Modern HTTP programming model
Content negotiation (e.g. xml, json, ...)
Query composition (OData query support)
Model binding and validation (conversion to .NET objects)
Routes
Filters (e.g. Validation, exception handling, ...)
And more!
ASP.NET Web API is easy!
HTTP Verb = action
“Content-type” header = data format in
“Accept” header = data format out
Return meaningful status code
using ASP.NET Web API
Demo
demo
Creating an API
Securing your API
No authentication
Basic/Windows authentication
[Authorize] attribute
demo
Securing your API
The world of API clients is complex
CLIENTS
AUTHN + AUTHZ
HTML5+JS
Username/password?
SPA
Basic auth?
Native apps
NTLM / Kerberos?
Server-to-server
Client certificate?
Shared secret?
A lot of public API’s…
“your API consumer isn’t really your user,
but an application acting on behalf of a user”
(or: API consumer != user)
OAuth2
Guest badges
Building owner / colleague full-access badge
Guest badge
Your name on it
Limited scope (only 7th floor)
Limited validity (only today)
Guest badges
+--------+
+---------------+
|
|--(A)-- Can access tomorrow?-->|
Resource
|
|
|
|
Owner
|
|
|<-(B)- Sure! Here’s invite ----|
|
|
|
+---------------+
|
|
.
|
|
+---------------+
|
|--(C)----- Was invited! ------>|
|
| Client |
|
Reception
|
|
|<-(D)---- Here’s a badge! -----|
|
|
|
(today;7th floor)
+---------------+
|
|
.
|
|
+---------------+
|
|--(E)------ Show badge ------->|
Resource
|
|
|
|
Server
|
|
|<-(F) Sure you can get coffee! |
|
+--------+
+---------------+
And tomorrow, you’ll have to refresh your badge!
OAuth2
+--------+
+---------------+
|
|--(A)- Authorization Request ->|
Resource
|
|
|
|
Owner
|
|
|<-(B)-- Authorization Grant ---|
|
|
|
+---------------+
|
|
.
|
|
+---------------+
|
|--(C)-- Authorization Grant -->| Authorization |
| Client |
|
Server
|
|
|<-(D)----- Access Token -------|
|
|
|
+---------------+
|
|
.
|
|
+---------------+
|
|--(E)----- Access Token ------>|
Resource
|
|
|
|
Server
|
|
|<-(F)--- Protected Resource ---|
|
+--------+
+---------------+
Figure 1: Abstract Protocol Flow
http://tools.ietf.org/html/draft-ietf-oauth-v2-31
Quick side note…
There are 3 major authentication flows
Based on type of client
Variants possible
On the web…
Access tokens / Refresh tokens
In theory: whatever format you want
Widely used: JWT (“JSON Web Token”)
Less widely used: SWT (“Simple Web Token”)
Signed / Encrypted
JWT
Header:
{"alg":"none"}
Token:
{"iss":"joe",
"exp":1300819380,
"http://some.ns/read":true}
What you have to implement
OAuth authorization server
Keep track of supported consumers
Keep track of user consent
OAuth token expiration & refresh
Oh, and your API
Windows Azure
Access Control
Service
ACS - Identity in Windows Azure
Active Directory federation
Graph API
Web SSO
Link apps to identity providers using rules
Support WS-Security, WS-Federation, SAML
Little known feature: OAuth2 delegation
OAuth flow using ACS
demo
ASP.NET Web API, OAuth2,
Windows Azure ACS
OAuth2 delegation?
You: OAuth authorization server
ACS: Keep track of supported consumers
ACS: Keep track of user consent
ACS: OAuth token expiration & refresh
You: Your API
Conclusion
Key takeaways
API’s are the new apps
Valuable
HTTP
ASP.NET Web API
OAuth2
Windows Azure Access Control Service
http://blog.maartenballiauw.
be
@maartenballiauw
http://amzn.to/pronuget
Thank you!
